當(dāng)前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

[XMAN2018排位赛]Dragon Quest [MRCTF2020]VirtualTree

發(fā)布時(shí)間：2025/3/21 编程问答 39 豆豆

生活随笔收集整理的這篇文章主要介紹了 [XMAN2018排位赛]Dragon Quest [MRCTF2020]VirtualTree 小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.

文章目錄

[XMAN2018排位賽]Dragon Quest
- 拖入ida
- v5 = start_quest((std::string *)v7);
- sanitize_input(v6);
- - 核心代碼1
  - 核心代碼2
- transform_input(v36)
- - 核心代碼
[MRCTF2020]VirtualTree
- 拖進(jìn)ida
- strlen((const char *)&dword_421318) != 16
- - 判斷長度是否等于16字節(jié)
- sub_401680(dword_421310)
- int sub_4016F0()
- - 腳本第一步：
  - 腳本第二步：

[XMAN2018排位賽]Dragon Quest

拖入ida

int __cdecl main(int argc, const char **argv, const char **envp) {__int64 v3; // rdxint v5; // [rsp+24h] [rbp-19Ch]char v6[8]; // [rsp+80h] [rbp-140h] BYREFchar v7[12]; // [rsp+88h] [rbp-138h] BYREFchar v8[8]; // [rsp+A0h] [rbp-120h] BYREFchar v9[8]; // [rsp+A8h] [rbp-118h] BYREFchar s[268]; // [rsp+B0h] [rbp-110h] BYREFint v11; // [rsp+1BCh] [rbp-4h]v11 = 0;std::operator<<<std::char_traits<char>>(&std::cout, (unsigned int)"+-----------------------+\n", envp);std::operator<<<std::char_traits<char>>(&std::cout,(unsigned int)"| Welcome Xman |\n","| Welcome Xman |\n");std::operator<<<std::char_traits<char>>(&std::cout,(unsigned int)"+-----------------------+\n\n","+-----------------------+\n\n");std::operator<<<std::char_traits<char>>(&std::cout,(unsigned int)"[!] Quest: there is a dragon prowling the domain.\n","[!] Quest: there is a dragon prowling the domain.\n");std::operator<<<std::char_traits<char>>(&std::cout,(unsigned int)"\tbrute strength and magic is our only hope. Test your skill.\n\n","\tbrute strength and magic is our only hope. Test your skill.\n\n");std::operator<<<std::char_traits<char>>(&std::cout,(unsigned int)"Enter the dragon's secret: ","Enter the dragon's secret: ");fgets(s, 257, stdin);std::allocator<char>::allocator(v8);std::string::string(v9, s, v8);std::allocator<char>::~allocator(v8);std::string::string((std::string *)v7, (const std::string *)v9);v5 = start_quest((std::string *)v7);std::string::~string((std::string *)v7);if ( v5 == 4919 ){std::string::string((std::string *)v6, (const std::string *)v9);reward_strength(v6);std::string::~string((std::string *)v6);}else{std::operator<<<std::char_traits<char>>(&std::cout,(unsigned int)"\n[-] You have failed. The dragon's power, speed and intelligence was greater.\n",v3);}v11 = 0;std::string::~string((std::string *)v9);return v11; }

v5 = start_quest((std::string *)v7);

if ( v5 == 4919 ){std::string::string((std::string *)v6, (const std::string *)v9);reward_strength(v6);std::string::~string((std::string *)v6);}

根據(jù)此代碼，這個(gè)函數(shù)必須返回值是4919

std::vector<int>::push_back(&hero, &secret_100);std::vector<int>::push_back(&hero, &secret_214);std::vector<int>::push_back(&hero, &secret_266);std::vector<int>::push_back(&hero, &secret_369);std::vector<int>::push_back(&hero, &secret_417);std::vector<int>::push_back(&hero, &secret_527);std::vector<int>::push_back(&hero, &secret_622);std::vector<int>::push_back(&hero, &secret_733);std::vector<int>::push_back(&hero, &secret_847);std::vector<int>::push_back(&hero, &secret_942);std::vector<int>::push_back(&hero, &secret_1054);std::vector<int>::push_back(&hero, &secret_1106);std::vector<int>::push_back(&hero, &secret_1222);std::vector<int>::push_back(&hero, &secret_1336);std::vector<int>::push_back(&hero, &secret_1441);std::vector<int>::push_back(&hero, &secret_1540);std::vector<int>::push_back(&hero, &secret_1589);std::vector<int>::push_back(&hero, &secret_1686);std::vector<int>::push_back(&hero, &secret_1796);std::vector<int>::push_back(&hero, &secret_1891);std::vector<int>::push_back(&hero, &secret_1996);std::vector<int>::push_back(&hero, &secret_2112);std::vector<int>::push_back(&hero, &secret_2165);std::vector<int>::push_back(&hero, &secret_2260);std::vector<int>::push_back(&hero, &secret_2336);std::vector<int>::push_back(&hero, &secret_2412);std::vector<int>::push_back(&hero, &secret_2498);std::vector<int>::push_back(&hero, &secret_2575);

對hero數(shù)組進(jìn)行一系列的push操作

if ( v5 ){if ( y26 >= 10 && ((((_BYTE)x25 - 1) * (_BYTE)x25) & 1) != 0 )goto LABEL_14;while ( 1 ){*v7 = legend >> 2;if ( y26 < 10 || ((((_BYTE)x25 - 1) * (_BYTE)x25) & 1) == 0 )break; LABEL_14:*v7 = legend >> 2;}}else{if ( y26 >= 10 && ((((_BYTE)x25 - 1) * (_BYTE)x25) & 1) != 0 )goto LABEL_15;while ( 1 ){std::string::string(v6, v10);if ( y26 < 10 || ((((_BYTE)x25 - 1) * (_BYTE)x25) & 1) == 0 )break; LABEL_15:std::string::string(v6, v10);}v4 = sanitize_input(v6);if ( y26 >= 10 && ((((_BYTE)x25 - 1) * (_BYTE)x25) & 1) != 0 )goto LABEL_16;while ( 1 ){*v7 = v4;std::string::~string(v6);if ( y26 < 10 || ((((_BYTE)x25 - 1) * (_BYTE)x25) & 1) == 0 )break; LABEL_16:*v7 = v4;std::string::~string(v6);}}dov3 = *v7;while ( y26 >= 10 && ((((_BYTE)x25 - 1) * (_BYTE)x25) & 1) != 0 );return v3; }

可知這里如果要返回4919的話，那么只可能在else中，也就是這兩行

v4 = sanitize_input(v6);*v7 = v4;v3 = *v7;return v3;

因?yàn)槿绻鹶5為true的話，（絕對不可能返回4919）

*v7 = legend >> 2;//legend dd 73h v3 = *v7;return v3;

sanitize_input(v6);

核心代碼1

v46 = a1;//a1位傳入sanitize_input(v6)函數(shù)的參數(shù)v6v31 = (char *)std::string::operator[](v46, v33);*v40 = *v31;std::vector<int>::push_back(v42, v40);std::vector<int>::vector(v36, v42);v19 = transform_input(v36);

核心代碼2

v23 = (int *)std::vector<int>::operator[]((unsigned int)&hero, v24); v21 = *v23; v18 = v21 == v19;

transform_input(v36)

核心代碼

LODWORD(v6[0]) = 0;LODWORD(v6[-2]) = 0;v15 = v6;v17 = a1;v2 = (_DWORD *)std::vector<int>::operator[](v17, *(int *)v14);*(_DWORD *)v15 += *v2;v7 = *(_DWORD *)v15;return v7;

[MRCTF2020]VirtualTree

拖進(jìn)ida

int __cdecl main(int argc, const char **argv, const char **envp) {int i; // [esp+8h] [ebp-24h]((void (__cdecl *)(_DWORD, _DWORD))loc_401510)(0, 0);sub_401070("Give Me Your Key:\n");sub_4010E0("%s", (const char *)&dword_421318);if ( strlen((const char *)&dword_421318) != 16 ){sub_401070("Wrong!\n");_loaddll(0);}sub_401680(dword_421310);sub_4016F0();for ( i = 0; i < 16; ++i ){if ( byte_4208EC[i] != *((_BYTE *)&dword_421318 + i) ){sub_401070("Wrong!\n");_loaddll(0);}}sub_401070("Right!\n");sub_401070("your flag: MRCTF{%s}\n");sub_40545E("pause");return 0; }

strlen((const char *)&dword_421318) != 16

判斷長度是否等于16字節(jié)

sub_401680(dword_421310)

int __cdecl sub_401680(int a1) {int result; // eaxresult = a1;if ( *(_BYTE *)a1 ){if ( *(_DWORD *)(a1 + 4) )sub_401680(*(_DWORD *)(a1 + 4));result = dword_421314;*((_BYTE *)&dword_421318 + dword_421314++) ^= *(_BYTE *)a1;if ( *(_DWORD *)(a1 + 8) )result = sub_401680(*(_DWORD *)(a1 + 8));}return result; }

這里類似是二叉樹結(jié)構(gòu)，因?yàn)檫@個(gè)題提供了源碼，查看源碼

void walkB(tree *T) {if(T->data!=NULL){if(T->right!=NULL)walkB(T->right);buff[idx++]^=T->data;if(T->left!=NULL)walkB(T->left);} }

int sub_4016F0()

int sub_4016F0() {((void (__cdecl *)(_DWORD, int))loc_401510)(0, 10);((void (__cdecl *)(int, int))loc_401510)(1, 2);((void (__cdecl *)(int, int))loc_401510)(2, 7);((void (__cdecl *)(int, int))loc_401510)(3, 7);((void (__cdecl *)(int, int))loc_401510)(4, 5);((void (__cdecl *)(int, int))loc_401510)(6, 1);((void (__cdecl *)(int, int))loc_401510)(7, 3);((void (__cdecl *)(int, int))loc_401510)(8, 7);((void (__cdecl *)(int, int))loc_401510)(9, 8);((void (__cdecl *)(int, int))loc_401510)(10, 7);((void (__cdecl *)(int, int))loc_401510)(11, 12);((void (__cdecl *)(int, int))loc_401510)(12, 2);((void (__cdecl *)(int, int))loc_401510)(14, 15);return ((int (__cdecl *)(int, int))loc_401510)(15, 2); }

對應(yīng)源代碼

void xors(int a,int b) {_asm{xor eax,eaxjz label1_emit 0xE8label1:}buff[a]=buff[a]^buff[b]; } void sub(int a,int b) {_asm{xor eax,eaxjz label2_emit 0xE8label2:}buff[a]=abs(buff[a]-buff[b]); } void add(int a,int b) {_asm{xor eax,eaxjz label3_emit 0xE8label3:}buff[a]+=b; }_asm{push 10push 0mov eax,0x00401510 //add 1call eaxadd esp,8push 2push 1mov eax,0x00401510 //xor 2call eaxadd esp,8push 7push 2mov eax,0x00401510 //add 3call eaxadd esp,8push 7push 3mov eax,0x00401510 //sub 4call eaxadd esp,8push 5push 4mov eax,0x00401510 //xor 5call eaxadd esp,8push 1push 6mov eax,0x00401510 //sub 6call eaxadd esp,8push 3push 7mov eax,0x00401510 //add 7call eaxadd esp,8push 7push 8mov eax,0x00401510 //xor 8call eaxadd esp,8push 8push 9mov eax,0x00401510 //sub 9call eaxadd esp,8push 7push 10mov eax,0x00401510 //sub 10call eaxadd esp,8push 12push 11mov eax,0x00401510 //xor 11call eaxadd esp,8push 2push 12mov eax,0x00401510 //sub 12call eaxadd esp,8push 15push 14mov eax,0x00401510 //xor 13call eaxadd esp,8push 2push 15mov eax,0x00401510 //add 14call eaxadd esp,8nopnop}

腳本第一步：

a=[0x17,0x63,0x77,0x3,0x52,0x2E,0x4A,0x28,0x52,0x1B,0x17,0x12,0x3A,0xA,0x6C,0x62] a[15]-=15 a[14]^=a[15] a[12]+=a[2] a[11]^=a[12] a[10]+=a[7] a[9]+=a[8] a[8]^=a[7] a[7]-=3 a[6]+=a[1] a[4]^=a[5] a[3]+=a[7] a[2]-=7 a[1]^=a[2] a[0]-=10

腳本第二步：

二叉樹初始化:

tree *n[16];for(int i=0;i<16;i++)n[i]=(tree*)malloc(sizeof(tree));for(int i=0;i<16;i++)n[i]->data='A'+i;n[0]->left=n[1];n[0]->right=n[2];n[1]->left=n[3];n[1]->right=n[4];n[2]->left=n[5];n[2]->right=n[6];n[3]->left=n[7];n[3]->right=n[8];n[4]->left=n[9];n[4]->right=NULL;n[5]->left=n[10];n[5]->right=NULL;n[6]->left=n[11];n[6]->right=n[12];n[7]->right=n[7]->left=NULL;n[8]->left=NULL;n[8]->right=n[13];n[9]->left=n[9]->right=NULL;n[10]->left=n[14];n[10]->right=n[15];n[11]->left=n[11]->right=n[12]->left=n[12]->right=NULL;n[13]->left=n[13]->right=NULL;n[14]->left=n[14]->right=n[15]->left=n[15]->right=NULL;Tree=n[0];

右根左的改變法則：

a[0]^=ord('M') a[1]^=ord('G') a[2]^=ord('L') a[3]^=ord('C') a[4]^=ord('F') a[5]^=ord('P') a[6]^=ord('K') a[7]^=ord('O') a[8]^=ord('A') a[9]^=ord('E') a[10]^=ord('J') a[11]^=ord('B') a[12]^=ord('I') a[13]^=ord('N') a[14]^=ord('D') a[15]^=ord('H') print(''.join(chr(i) for i in a))

但輸出不對。估計(jì)哪里想錯(cuò)了

《新程序員》：云原生和全面數(shù)字化實(shí)踐50位技術(shù)專家共同創(chuàng)作，文字、視頻、音頻交互閱讀

總結(jié)

以上是生活随笔為你收集整理的[XMAN2018排位赛]Dragon Quest [MRCTF2020]VirtualTree的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。

上一篇： [watevrCTF 2019]Repy
下一篇： IDEA是否会嫌导jar包麻烦吗？？？赶